Reference Format

We use the URL syntax to describe references to a secret store.

  1. {vault://<vault-backend|entity>/<secret-id>[/<secret-key][/][?query][#version]}

Protocol/Scheme

  1. {vault://<vault-backend|entity>/<secret-id>[/<secret-key]}
  2. ^^^^^

The vault in the URL is used as an identifier for Kong. We use this to reference a vault.

Host/Path

  1. {vault://<vault-prefix>/<secret-id>[/<secret-key]}
  2. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The host and path of the URL defines the following:

Vault Prefix

The prefix for a vault can be either the name of the backend or the name of vault entity that you created.

Examples:

  1. {vault://env/<secret-id>[/<secret-key]}
  2. ^^^

or using a vault entity

  1. {vault://my-env-vault/<secret-id>[/<secret-key]}
  2. ^^^^^^^^^^^^

Secret ID

The secret-id is used as an identifier for a secret stored in a vault. The vault may return either a string value (a single secret) or multiple related secrets like username and password as a secret object.

Secret Key

The secret-key is used to identify the secret within the secret-id object.

If secret key ends with /, then it is not considered as a Secret Key but as a part of Secret Id. The difference between Secret Key and Secret Id is that only the Secret Id is sent to vault API, and the Secret Key is only used when processing

Query

Query arguments are used to denote configuration options in a key=value format to the Vault Prefix

Version

  1. {vault://<vault-backend|entity>/<secret-id>[/<secret-key][/][?query][#version]}
  2. ^^^^^^^^

The version, specified as the fragment of the Vault URL, identifies the version number of the secret stored in a vault backend. Applies to any vault backend that supports versioning.